I am operating a private network of machines with one external IPv4 address in a datacenter and have asked the datacenter to give me another IPv4 address from a different ISP provider to achieve load-balance and redundancy. The datacenter provided me only one ethernet line originally and they now has given me the information about the additional IP address and told me that it is possible to configure the two IPs using the existing single ethernet line. Although I have been using OpenWrt for two years and linux for 10 years, I am not a network expert and not sure how to do this correctly without getting locked out of the network since I am doing this remotely so I have limited capacity for experimentation. I have set up a crontab command cp /etc/config/network.backup /etc/config/network && /etc/init.d/network restart to run every hour to revert to the old settings in case anything goes wrong. So, I prefer a method that only touches the /etc/config/network file.
My OpenWrt router has only two ethernet ports, one for LAN and one for WAN, and has a Chinese version of OpenWrt installed which has a line saying Powered by LuCI Master (git-22.095.24346-72703c8) / OpenWrt R22.4.1 SPP K54 Spring[2022] by eSir. There is no option to set up Switch and Load Balance under Network on the web client. Currently, /etc/config/network looks like this:
If anyone can help me solve this technical challenge to set up the two public IP addresses and load balance, that will be greatly appreciated. I can provide additional information if needed.
Since you already use a static proto for your wan this becomes rather easy.
Convert your existing ipaddr + netmask options to CIDR notation and simply add another list entry:
config interface 'wan'
option ifname 'eth1'
option proto 'static'
list ipaddr '12.34.56.78/24'
list ipaddr '66.77.88.99/24'
option dns '8.8.8.8'
option gateway '12.34.56.1'
Note that busybox ifconfig will not display unlabelled secondary addresses, use ip -4 addr show dev eth1 to verify the IP configuration of eth1.
Thank you very much for the quick reply. But the two IP addresses also have different gateways. The IP for 66.77.88.99 is more like 66.77.88.1. Do I simply add another option option gateway '66.77.88.1' in the end? And then how is load balancing handled? Do the router automatically choose the public IP address in a round-robin fashion for outgoing traffic?
My memory is fuzzy..., But my impression is you will need ip rule and proper ip route entries to select your src address.
Sure this totally depends on if you are doing source or destination NAT or what not.
Edit: no you can not have two gateways in the UCI config. You will need to use ip rule for that, to select the gateway and src address, iirc
Load balancing, hmm. In this case I suggest spawning a virtual macvlan device where you assign the IP address with a different metric and gateway. Then deploy the mwan3 package to manage balancing and route selection policies.
After I edit to the above configuration and run /etc/init.d/network restart, will I get locked out of the system since my IP may have not been configured correctly yet? Or is it already working correctly with the only problem of load-balancing not set up yet?
By the way, when I try to install mwan3, I see the following errors:
root@OpenWrt:~# opkg install mwan3
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Package mwan3 (2.11.1-1) installed in root is up to date.
Collected errors:
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.137-1-f37b15cceba2187f40d81d8285a3a0e1) for kmod-nf-reject
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.137-1-f37b15cceba2187f40d81d8285a3a0e1) for kmod-nf-ipt
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.137-1-f37b15cceba2187f40d81d8285a3a0e1) for kmod-nf-log
* pkg_hash_fetch_best_installation_candidate: Packages for kmod-nf-log found, but incompatible with the architectures configured
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.137-1-f37b15cceba2187f40d81d8285a3a0e1) for kmod-ipt-core
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.137-1-f37b15cceba2187f40d81d8285a3a0e1) for kmod-nfnetlink
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.137-1-f37b15cceba2187f40d81d8285a3a0e1) for kmod-ipt-ipset
...
It seems that mwan3 has been installed but some dependencies are missing. Is it still possible to run mwan3?
I have run /etc/init.d/network restart and I am still able to login into the system. ifconfig shows an additional interface eth1alias with the specific IP address. I can also use the other IP to ssh login to my servers after selecting the same firewall zone for eth1alias/WAN2.
Just need to set up mwan3. Never used it. Hope it won't be too difficult. Still no idea how to do it. Thank you very much for the help! That saved my day!
In the following configuration, how can I specify multiple aliases for eth1?
config device
option type macvlan
option mode vepa
option ifname eth1
option name eth1alias
It seems that if I do
option name eth1alias1
option name eth1alias2
option name eth1alias3
then wan2 will only work if option ifname is set to eth1alias3, not if set to eth1alias1 or eth1alias2.
My goal is to move '12.34.56.78' also to a virtual interface so that real-time traffic monitor will not show the combined traffic of both IP addresses.
Repeat the config device section entirely and change the name
config device
option type macvlan
option mode vepa
option ifname eth1
option name wan1 # using a shorter and more descriptive name here
config device
option type macvlan
option mode vepa
option ifname eth1
option name wan2 # using a shorter and more descriptive name here
config interface 'wan'
option ifname 'wan1'
option proto 'static'
option metric 10
option ipaddr '12.34.56.78'
option netmask '255.255.255.0'
option dns '8.8.8.8'
option gateway '12.34.56.1'
config interface 'wan2'
option ifname 'wan2'
option proto 'static'
option metric 20
option ipaddr '66.77.88.1'
option netmask '255.255.255.0'
option gateway '44.55.66.77'
However, it seems that I can use both veth1 and veth2 for wan2 but neither of them works for wan1. Only eth1 itself works for wan1. I can do more test, but it takes several minutes for me to be able to ssh login to the servers again after running /etc/init.d/network restart after change of configuration.
Note that these virtual macvlan devices use virtual (locally generated) ethernet MAC addresses as well, this might or might not interact negatively with your providers switch infrastructure (and it likely is the reason why you have to wait a while to regain connectivity because the switches have to "learn" the new mac).
The the assigned mac addresses with ifconfig or ip link, make sure that it is different ones. Also consider assigning fixed ones using option macaddr 02:11:22:... in the config device sections.
It is true that the change of mac address caused me to have to wait for several minutes to reconnect and using the pre-existing mac address for wan2 (using veth2) eliminated the delay.
However, how should I deal with wan1? If the ISP only recognizes the mac address of eth1, it seems that I cannot use the same mac address of eth1 for veth1 since there might be a conflict. Then, is it even possible to set veth1 for wan1. Maybe the only possibility to do so is to negotiate with the ISP to assign the IP address to a different mac address if that is possible and the personnel there know how to do it?